A critical vulnerability in llama.cpp's RPC backend allows an unauthenticated attacker with TCP access to the RPC server port to achieve full remote code execution. The flaw was disclosed on April 1, 2026 and assigned CVSS 9.8 (Critical).
The root cause is in the deserialize_tensor() function: when a tensor's buffer field is set to 0, bounds validation is skipped entirely. An attacker can send crafted GRAPH_COMPUTE messages to trigger arbitrary out-of-bounds memory read and write. Combined with pointer leaks from ALLOC_BUFFER and BUFFER_GET_BASE RPC operations, this defeats ASLR and enables arbitrary code execution — no authentication required.
Any multi-node agentic deployment running llama.cpp with an exposed RPC port is fully compromised. The inference layer sits below all behavioral guardrails; an attacker who owns the inference engine controls the agent's entire output space without needing a jailbreak or prompt injection technique.
Immediate action: Upgrade to llama.cpp b8492 or later. Firewall the RPC port (default: not publicly accessible, but commonly exposed in distributed inference setups). Treat the RPC port as equivalent to an unauthenticated admin interface until patched.